Analysis
-
max time kernel
146s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 03:11
Static task
static1
Behavioral task
behavioral1
Sample
ORC_632344671694231.vbs
Resource
win7-20220414-en
General
-
Target
ORC_632344671694231.vbs
-
Size
3.6MB
-
MD5
b99d97ba3b2a9b7870cce7b44c417fe3
-
SHA1
5f60479c72aac2800ec0f795a3c0df39b25fc8bf
-
SHA256
d9f78770a3888d3e00bf9bbb38220a9efbf07f340e864f595b59f58467eba764
-
SHA512
f595cbad293453a093632665e189aab4d022ba3131390e2f8557f80b92c38cddf07fdaac6b584ad0f3b870c80eadcda0459c232763f77b154260a62cb2e2fe4b
Malware Config
Extracted
dridex
162.213.37.188:443
178.128.20.11:3389
128.199.136.72:691
87.118.70.66:8443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 4736 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3936 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 2744 WScript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4812 wrote to memory of 3936 4812 regsvr32.exe regsvr32.exe PID 4812 wrote to memory of 3936 4812 regsvr32.exe regsvr32.exe PID 4812 wrote to memory of 3936 4812 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORC_632344671694231.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\XyqXoUyD.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\XyqXoUyD.txt2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XyqXoUyD.txtFilesize
423KB
MD5b861a8f7f58a22063b772ef249a2dfb9
SHA11774c75facd27783084de244ca4dd60b925cdc49
SHA2567adb29216a445d2e815f8155c0b14f6e34d657b41acd9f6cfbfa29085cb47487
SHA512c83baa859f811f33418316831cec82a78aaa22d184e6f5618128fe845781a195d4c4233d84e68da84841318312aefd0cedb4f07cb338a624ef44204b39acf47e
-
C:\Users\Admin\AppData\Local\Temp\XyqXoUyD.txtFilesize
423KB
MD5b861a8f7f58a22063b772ef249a2dfb9
SHA11774c75facd27783084de244ca4dd60b925cdc49
SHA2567adb29216a445d2e815f8155c0b14f6e34d657b41acd9f6cfbfa29085cb47487
SHA512c83baa859f811f33418316831cec82a78aaa22d184e6f5618128fe845781a195d4c4233d84e68da84841318312aefd0cedb4f07cb338a624ef44204b39acf47e
-
memory/3936-131-0x0000000000000000-mapping.dmp
-
memory/3936-133-0x0000000074C70000-0x0000000074C8D000-memory.dmpFilesize
116KB
-
memory/3936-134-0x0000000074C70000-0x00000000755E1000-memory.dmpFilesize
9.4MB